I usually generate strong passwords using various online tools. Some time ago I mentioned it to friend of mine and he looked at me as if my life was one big fail. Is it really so unsafe to generate passwords online? Could there be generated some kind of cookie that tracks where I pasted it?

3 Answers
3

In theory there are some ways that one could perhaps build a password generator that is not so bad (e.g., run it in Javascript, on your local machine, and so forth). However, in practice, there are too many pitfalls that an average user cannot be expected to detect. Consequently, I do not recommend it.

For instance, an average user has no way to vet whether the password generator does indeed ensure that the password never leaves your site. The average user has no way to verify that the web site is not keeping a copy of your password. The average user has no way to verify that the password generation code is using good entropy (and Javascript's Math.random(), which is the obvious thing to use for this purpose, is not a great pseudorandom number generator).

Just because a password generator doesn't use JavaScript doesn't mean it's not safe, however it would be easy for the server to store the password sent out with your IP address. If this is a concern it would be easy to change a few characters in the password. The GRC Ultra High Security Password Generator does not use JavaScript but "this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999". Each "instance" of this page has multiple passwords so even if GRC did log them (which I doubt they do) they wouldn't know which one you've chosen to use. If you still want a JavaScript based generator here is one.

If the password is being generated locally in JavaScript and there is no traffic back to the server, you should be fine.

If the password was being stored in a cookie it would only be viewable from the site that it originated from, due to the same origin policy. You would also be able to detect this by checking your cookies.

Their is the possibility for disclosure of information if you use a bookmarklet such as the one at http://supergenpass.com (JavaScript in a bookmark). The bookmarklet is stored locally, but run in the context of the site you are at, so if there is JavaScript running from that site that is setup to detect your bookmarklet, it could access information that the bookmarklet, uses, prompts for, and generates.